Journal of Grid Computing

, Volume 14, Issue 3, pp 477–493 | Cite as

Modelling Fine-Grained Access Control Policies in Grids

  • Benjamin Aziz


This paper presents an abstract specification of an enforcement mechanism of usage control for Grids, and verifies formally that such mechanism enforces UCON policies. Our technique is based on KAOS, a goal-oriented requirements engineering methodology with a formal LTL-based language and semantics. KAOS is used in a bottom-up form. We abstract the specification of the enforcement mechanism from current implementations of usage control for Grids. The result of this process is agent and operation models that describe the main components and operations of the enforcement mechanism. KAOS is used in top-down form by applying goal-refinement in order to refine UCON policies. The result of this process is a goal-refinement tree, which shows how a goal (policy) can be decomposed into sub-goals. Verification that a policy can be enforced is then equivalent to prove that a goal can be implemented by the enforcement mechanism represented by the agent and operation models.


Access control Grid authorisation Usage control 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the grid: enabling scalable virtual organizations. International Journal of Supercomputer Applications 15(3) (2001)Google Scholar
  2. 2.
    Venugopal, S., Buyya, R., Ramamohanarao, K.: A taxonomy of data grids for distributed data sharing, management, and processing. ACM Comput. Surv. 38(1), 3 (2006)CrossRefGoogle Scholar
  3. 3.
    Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128 (2004)CrossRefGoogle Scholar
  4. 4.
    Pretschner, A., Hilty, M., Basin, D.: Distributed usage control. Commun. ACM 49(9), 39 (2006)CrossRefGoogle Scholar
  5. 5.
    Martinelli, F., Mori, P.: A model for usage control in GRID systems. In: Grid-STP2007, International Conference on Security, Trust and Privacy in Grid Systems. IEEE Computer Society (2007)Google Scholar
  6. 6.
    Zhang, X., Nakae, M., Covington, M.J., Sandhu, R.: Toward a usage-based security framework for collaborative computing systems. ACM Trans. Inf. Syst. Secur. 11(1), 3:1 (2008)CrossRefGoogle Scholar
  7. 7.
    van Lamsweerde, A.: Requirements Engineering in the Year 00: A Research Perspective. In: International Conference on Software Engineering, pp. 5–19 (2000)Google Scholar
  8. 8.
    Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8(4), 351 (2005)CrossRefGoogle Scholar
  9. 9.
    Sandhu, R., Park, J.: Usage control: A vision for next generation access control. In: MMM-ACNS, pp. 17–31 (2003)Google Scholar
  10. 10.
    Martinelli, F., Mori, P.: On usage control for GRID systems. Futur. Gener. Comput. Syst. 26 (7), 1032 (2010)CrossRefGoogle Scholar
  11. 11.
    Naqvi, S., Massonet, P., Aziz, B., Arenas, A., Martinelli, F., Mori, P., Blasi, L., Cortese, G.: Fine-grained continuous usage control of service based grids - The GridTrust approach. In: Proceedings of the 1st European Conference on Towards a Service-Based Internet, Springer-Verlag, ServiceWave’08, pp. 242–253 (2008)Google Scholar
  12. 12.
    OASIS: Oasis Extensible Access Control Markup Language (XACML), (2005)
  13. 13.
    e Ghazia, U., Masood, R., Shibli, M.A., Bilal, M.: Usage control model specification in XACML policy language. In: Proceedings of the 11th IFIP TC 8 International Conference on Computer Information Systems and Industrial Management, Springer-Verlag, CISIM’12, pp. 68–79 (2012)Google Scholar
  14. 14.
    Colombo, M., Lazouski, A., Martinelli, F., Mori, P.: A proposal on enhancing XACML with continuous usage control features. In: Desprez, F., Getov, V., Priol, T., Yahyapour, R. (eds.) Grids, P2P and Services Computing, pp. 133–146. Springer (2010)Google Scholar
  15. 15.
    Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Martinelli, F., Mori, P.: Testing of PolPA-based usage control systems. Softw. Qual. Control 22(2), 241 (2014)CrossRefGoogle Scholar
  16. 16.
    Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the grid: Enabling scalable virtual organizations. Int. J. High Perform. Comput. Appl. 15(3), 200 (2001)CrossRefGoogle Scholar
  17. 17.
    Chadwick, D.: Functional Components of Grid Service Provider Authorisation Service Middleware. Technical Report, Open Grid Forum (2008)Google Scholar
  18. 18.
    van Lamsweerde, A.: Requirements engineering - from system goals to UML models to software specifications. Wiley (2009)Google Scholar
  19. 19.
    Vardi, M. Y.: Branching vs. linear time: Final showdown. In: Margaria, T., Yi, W. (eds.) Proceedings of the 7th International Conference On Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2001), Lecture Notes in Computer Science, vol. 2031, pp. 1–22. Springer (2001)Google Scholar
  20. 20.
    Objectover: A Power Tool to Engineer Your Business and Technical Requirements. (2015)
  21. 21.
    Moffett, J., Sloman, M.: Policy Hierarchies for Distributed Systems Management. IEEE J. Selected Areas in Communications 11(9), 14 04 (1993)CrossRefGoogle Scholar
  22. 22.
    Bandara, A.K., Lupu, E.C., Moffett, J., Russo, A.: A goal-based approach to policy refinement. In: 5th IEEE Workshop on Policies for Distributed Systems and Networks. IEEE Computer Society (2004)Google Scholar
  23. 23.
    Ponsard, C., Massonet, P., Molderez, J. F., Rifaut, A., van Lamsweerde, A., Hung, T.V.: Early verification and validation of mission critical systems. J. Form. Methods Syst. Des. 30(3) (2007)Google Scholar
  24. 24.
    Letier, E., van Lamsweerde, A.: Deriving operational software specifications from system goals. In: FSE’10: 10th ACM SIGSOFT Symposium on the Foundations of Software Engineering (2002)Google Scholar
  25. 25.
    Lorch, M., Kafura, D.: The PRIMA grid authorization system. J. Grid Comput. 2(3), 279 (2004)CrossRefMATHGoogle Scholar
  26. 26.
    Dumitrescu, C.L., Raicu, I., Foster, I.: The design, usage, and performance of GRUBER: A grid usage service level agreement based brokERing infrastructure. J. Grid Comput. 5(1), 99 (2007)CrossRefGoogle Scholar
  27. 27.
    Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A flexible attribute based access control method for grid computing. J. Grid Comput. 7(2), 169 (2009)CrossRefGoogle Scholar
  28. 28.
    Muppavarapu, V., Chung, S.: Role-based access control in a data grid using the storage resource broker and shibboleth. J. Grid Comput. 7(2), 265 (2009)CrossRefGoogle Scholar
  29. 29.
    Rubio-Loyola, J., Serrat, J., Charalambides, M., Flegkas, P., Pavlou, G., Lafuente, A.: Using linear temporal model checking for goal-oriented policy refinement frameworks. In: 6th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 181–190 (2005)Google Scholar
  30. 30.
    Su, L., Chadwick, D., Basden, A., Cunningham, J.: Automated decomposition of access control policies. In: 6th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 3–13. IEEE Computer Society (2005)Google Scholar
  31. 31.
    Janicke, H., Cau, A., Siewe, F., Zedan, H.: Deriving Enforcement Mechanisms from Policies. IEEE Computer Society (2007)Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2015

Authors and Affiliations

  1. 1.School of ComputingUniversity of PortsmouthPortsmouthUK

Personalised recommendations